Researchers at Bishop Fox have shown that three maximum-severity flaws Ubiquiti patched in May can be chained into a single attack that hands an unauthenticated attacker root access to UniFi OS Server with one crafted web request. Two flaws (CVE-2026-34908 and CVE-2026-34909) bypass the login gateway by abusing how the server reads encoded web addresses; the third (CVE-2026-34910) injects commands into the package-update feature, which runs with passwordless sudo, making escalation to root trivial. The flaws hit version 5.0.6 and earlier across widely used gear like UDM, UCG, and UNVR appliances. Bishop Fox released a free script to check for exposure.